Procurer
Cryptographic Algorithms Lifecycle
REPORT
2016
Cryptographic algorithms lifecycle report 2016
Research report Version 3.0 June 22, 2016 81 pages Doc. A-101-3 Project leaders: Kaur Kullman (Estonian Information System Authority) Mari Seeba (Cybernetica) Contributing authors: Ahto Buldas, PhD (Cybernetica) Kristo Heero, PhD (Cybernetica) Peeter Laud, PhD (Cybernetica) Riivo Talviste, PhD (Cybernetica) Jan Willemson, PhD (Cybernetica) Estonian Information System Authority, Pärnu maantee 139a, 15169 Tallinn, Estonia. Email: [email protected], Web: https://www.ria.ee, Phone: +372 663 0200. Cybernetica AS, Mäealuse 2/1, 12618 Tallinn, Estonia. E-mail: [email protected], Web: https://www.cyber.ee, Phone: +372 639 7991. © Estonian Information System Authority, 2016
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 2 / 81 Foreword
Estonia has a reputation for being a capable and mature IT country. This is enabled by the very high standard of natural sciences education Estonians had during the Soviet era and, on the other hand, by our geographical and cultural position. Afterall, Estonia is a country on the frontiers of the Western and the Eastern civilisations. This enables us to understand the differences and similarities, threats and opportunities of both cultural hemispheres for our unique set of intercultural wisdom in understanding Eurasia, and good education level enables us to innovate. Due to Estonia’s tiny population (1,3 M1) and moderate GDP (ø22,5 B2), we are not able to offer neither fundamental inventions nor create principally new technologies for the inter- national community. However, Estonia has been extremely successful in creating techno- logical solutions that enable modern e-society, e-governance and digital lifestyle. Among those are
• nationwide mandatory public key infrastructure (PKI) that enables citizens, institutions and companies to digitally sign documents,
• X-Road connectivity system that serves as a primary trust anchor for the messaging system our public and private shareholders’ IT systems use for communication, and, last but not least,
• a unique and cryptographically strong Internet voting system that we have used 8 times already for local and national elections, with up to one third of ballots cast electronically over the Internet.
However, as an advanced digital society with a dependency model comparable to the tra- ditional Western approach, Estonia with its IT-dependent systems is inherently vulnerable to various threats. These include malicious attacks, administrative mistakes and political turmoil, but also general human stupidity. As many of our government and private sector services have been optimised for the e- society, most of such institutions (e.g. banks and postal service providers) no longer have enough offices to serve citizens in the physical world alone. These institutions usually only have a few offices in larger towns. Because of our tiny economy, it is not economically feasible to serve clients in the traditional way, face to face – it would be too expensive for the clients, i.e. the Estonian taxpayers. In the contemporary world, it means that Estonia has no plan B, would the risks on our
1https://www.stat.ee/277564 2https://www.stat.ee/277536
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 3 / 81 e-society materialise. If we fail to keep our critically important IT infrastructure running, our e-lifestyle will collapse, bringing down the whole Estonian society as well. The Dutch DigiNotar case in 2011 demonstrated the hard choices a country faces if a PKI supporting its government’s IT systems is compromised. To sustain the society, the Dutch government had to rely on potentially compromised systems for the contingency of its operations. The DigiNotar case served as a wake up call for the Estonian politicians who finally understood the need for our country to plan ahead against similar threats. Estonia needs to be able to continue its operations in case the trust in Estonia’s PKI fails, some cryptographic primitive is suddenly broken or the trust in the cryptographic primitives used for our digital signatures is undermined, rendering the systems supporting our e-society unreliable and/or untrustworthy. Therefore, it was decided in 2011 to assemble a scientific task force to analyse the prob- lems and risks that reliance on cryptography is posing on the sustainable functioning of our society. One has to take into account that while Estonia has a well-established crypto- graphic school of thought, the country most likely is not (yet) able to work out and standard- ise its own cryptographic primitives. Thus, we rely on some known cryptographic algorithms standardised by some other countries. Establishment of this scientific task force was delegated to Estonian Information System Authority3 (Riigi Infosüsteemi Amet or RIA in Estonian). Among other duties, RIA coor- dinates the development and administration of the state’s information systems, organises activities related to information security and handles the security incidents that have oc- curred in Estonian computer networks. RIA also advises the public services and critical infrastructure providers on how to manage their information systems. For that, RIA partic- ipates in development of the corresponding requirements, including legal framework and the baseline protection system ISKE (based on BSI’s IT-Grundschutz). Therefore, maintaining the state of cryptography that our country depends on was a natural addition to the portfolio of responsibilities of RIA. After the first report of this task force, it was clear that we had to keep on updating the reports, as this field keeps on developing. The report you, dear reader, are reading is the fourth in this series. It is an update, not a rewrite of previous reports. Nonetheless, we in RIA understand that the problems we have discovered on our path are generic and valuable for the international audience, espe- cially for the countries that are following Estonia’s example on the quest for a secure and sustainable digital society.
Anto Veldre Estonian Information System Authority
3https://www.ria.ee/en/about-estonian-information-system-authority.html
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 4 / 81 Contents
1 Introduction ...... 7
2 TLS attacks in 2015 ...... 9 2.1 Nature of attacks ...... 9 2.2 Attacks against weaknesses in protocol logic ...... 11 2.3 Attacks against insecure cryptographic constructions ...... 12 2.4 Attacks against short keys ...... 13 2.5 Attacks against weak cryptographic primitives ...... 15 2.6 Attacks against misunderstandings in abstractions ...... 16 2.7 Attacks against implementation errors ...... 16 Attacks against buffer overflows ...... 17 Timing attacks ...... 17 Attacks against missing checks ...... 18
3 RSA public key cryptosystem ...... 19 3.1 Breaking RSA with a classical computer ...... 19 3.2 Breaking RSA with dedicated hardware ...... 20 3.3 Breaking RSA with a quantum computer ...... 20 3.4 Breaking RSA with a D-Wave computer ...... 21 3.5 Transition to 3072-bit RSA ...... 22
4 Elliptic curve cryptography ...... 23 4.1 NSA Suite B controversy ...... 23
5 Known attacks against hash functions ...... 24 5.1 Types of attacks and the notions of hash function security ...... 24 5.2 Collision attacks against Merkle-Damgård hash functions ...... 25 5.3 Practical chosen-prefix collision attack against certificates ...... 26 5.4 The cost of chosen-prefix collision attacks against SHA-1 ...... 27 5.5 Attacks against existing certificates ...... 27
6 The SHA-3 hash function ...... 29 6.1 Sponge construction ...... 29 6.2 Padding ...... 30 6.3 State transformation function ...... 30 6.4 Instances of SHA-3 ...... 31
7 Secure computation outsourcing ...... 33 7.1 Garbled circuits ...... 34 7.2 Fully homomorphic encryption ...... 34 7.3 Secure computation based on secret sharing ...... 35 7.4 Security considerations ...... 35 7.5 Applications and performance ...... 36 7.6 Practical deployments ...... 37
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 5 / 81 8 Post-quantum cryptography ...... 39 8.1 Quantum computers ...... 39 8.2 What is post-quantum cryptography? ...... 40 8.3 Lattice-based cryptography ...... 40 8.4 Multi-variate cryptography ...... 41 8.5 Hash-based cryptography ...... 42 8.6 Code-based cryptography ...... 43 8.7 Standards and implementations ...... 44
9 Cryptographic protocols over radio connection ...... 45 9.1 MIFARE cards ...... 45 9.2 MIFARE EV1 and Ultralight C authentication protocol ...... 46 9.3 HID iClass ...... 47 9.4 HID INDALA ...... 47 9.5 Estonian public transportation cards ...... 48 9.6 Deployment issues ...... 49 9.7 Transparency issues ...... 49
10 Mobile-ID protocol analysis ...... 52 10.1 Authentication with Mobile-ID ...... 53 10.2 Digitally signing documents with Mobile-ID ...... 54 10.3 Other security considerations ...... 54
11 Conclusions and recommendations ...... 57
Bibliography ...... 59
A Shor’s algorithm ...... 73 A.1 Basic Principles of Quantum Mechanics ...... 73 A.2 Quantum Bit and Quantum Register ...... 74 A.3 Quantum Gates ...... 74 Single Qubit Gates ...... 74 Two Qubit Gates ...... 75 Quantum Circuits ...... 75 A.4 Quantum Fourier Transform ...... 75 A.5 Shor’s Period-Finding Algorithm ...... 77
B Support for elliptic curves in various libraries ...... 79
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 6 / 81 1 Introduction
This study is a natural continuation of three previous studies conducted in 2011, 2013 and 2015 [9, 12, 18]. Whereas the two first iterations aimed at giving a self-contained overview of the status all major cryptographic primitives and protocols in practical use, the report published in 2015 only contained updates on some specific topics. The current version follows this approach and only covers certain topics that are of interest from the viewpoint of information systems used in Estonia in 2016. However, both the procurer (Estonian Information System Authority) and the authors (Cy- bernetica’s research team) feel that many of the topics are actually quite universal and hence subject of a wider international interest. This is the reason why the 2016 report is the first one in its sequence to be written in English. Even though we do not aim to be self-contained and may occasionally make back references to the older Estonian versions, most of the study should be comprehensible without being fluent in Estonian language. The report is covering both the state of cryptographic primitives and their application in higher-level protocols. In general, cryptographic primitives are rather well understood and studied objects. Compared to the frequency of protocol-level vulnerabilities, primitives are broken rather rarely. However, since many of the primitives are implemented in very low- level layers of communication infrastructure (often even in hardware), such a break may have far-reaching consequences. Luckily, cryptographic primitives are typically not broken overnight. First, some structural weaknesses are discovered and it takes time to develop exploits based on those findings. Even then, a considerable amount of computing power may be needed to exploit some weakness, which may initially not be affordable to all interested parties. This is why developments in cryptanalysis need to be constantly monitored, and the current report is one step in the global effort. We will not do a full round through all the major primitives, but rather present updates to the previous reports [9, 12, 18]. A very thorough treatment of the matter can also be found in ECRYPT II report [39]. In Estonia, the previous reports have already made tangible impact, with the last example being our national Certification Authority (CA) AS Sertifitseerimiskeskus stopping the use of SHA-1 and SHA-224 in time-stamping requests in the beginning of 2016 [30]. We hope that this report will contribute in improving the security of our digital environment worldwide. This report covers the following topics. Chapter 2 describes the most prominent weak- nesses found in 2015 in the TLS/SSL standards and some of its implementations. Chap- ter 3 reviews the state of one of the most widely used primitives, the RSA public key cryp- tosystem. We study the difficulty and monetary investment required to break RSA using various proposed methods, including quantum computers and specialised hardware.
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 7 / 81 The 2015 version of the report [18] contained a thorough introduction to elliptic curve cryp- tography. This time we will only present a short discussion concerning the controversy cre- ated by the August 2015 NSA announcement (in Chapter 4) and an updated version of the table summarising implementations of various curves in different libraries (in Appendix B). Another class of primitives that have got a lot of attention in recent years are hash functions. Chapter 5 reviews the best currently known attacks against existing constructions (including SHA-1) and Chapter 6 describes the new SHA-3 standard that was finally accepted in 2015 after years of development. The rest of the report deals with various application-level protocols and solutions. We start from an overview of secure computation outsourcing mechanisms (see Chapter 7), being motivated by the general drive towards cloud computing. Chapter 8 describes the major candidates for asymmetric primitives in the post-quantum era. Chapter 9 studies radio frequency authentication tokens and Chapter 10 presents Mobile-ID protocol analysis. Finally, Chapter 11 draws some conclusions and gives recom- mendations to improve security of the systems to be deployed.
Acknowledgements
This report builds upon efforts of many people. Over the years, more than 20 researchers and developers from Cybernetica have been involved by either directly contributing various chapters or giving their feedback after proof-reading. Still, most of the results described in this report are not created by Cybernetica’s team, but originate from many groups and many countries. Our thanks goes to all the researchers who have made creating this report possible. To improve quality of the material to be presented, we have conducted several interviews with specialists in fields other than cryptography. We would like to thank Hardmeier, G4S and Johannes Heinsoo for their time and contribution to this report. And last but not least – Estonian Information System Authority deserves the credit for initi- ating the whole process back in 2011, by giving the authors constant input and feedback, and helping to carry the results into practice. Thank you!
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 8 / 81 2 TLS attacks in 2015
Transport Layer Security (TLS) (latest version 1.2 [84], but ver. 1.3 is forthcoming [151]) and its predecessor, the Secure Sockets Layer (SSL) are presently perhaps the most widely used protocols for authentication and key agreement over the Internet between two princi- pals, as well as for securing their traffic afterwards. For the purposes of security analysis, TLS consists of the handshake protocol for entity authentication and key agreement, and the record protocol for maintaining a secure channel. The two protocols are intertwined — while the record protocol uses the keys derived in the handshake protocol, the handshake protocol itself runs inside the channel provided by the record protocol. In the handshake protocol, the client and the server first send each other the messages specifying which protocol versions and cipher suites they support, followed by the mes- sages containing their certificates and the values from which the master secret for keys used in the record protocol can be derived. The parties will then switch to the agreed-upon keys and ciphers (by exchanging ChangeCipherSpec-messages) in the record protocol. Finally, they send to each other the authenticated hash of all messages exchanged in the handshake protocol. A cipher suite specifies the public-key primitives used in the handshake protocol, as well as the symmetric cipher and message authentication code used in the record protocol. Depending on the used public-key primitives, the handshake protocol may have a slightly varying structure. Available cipher suites number in hundreds4. The TLS protocol specifies an optimisation for faster start-up of the secure channel. It is possible to save the state of a previous connection between a particular client and server, and resume its usage afterwards. Such resumption requires less public-key operations to be performed than a full handshake protocol. Alternatively, it is possible to keep the secure channel up if it is known that it will be used again in the future. As the TLS protocol has many different versions and options, it is unlikely that all of them simultaneously can be accounted for in a security analysis of that protocol. In previous versions of this report [12], we have attempted to give an overview of existing security analyses of TLS, we will not repeat it here. In this report, we will give an overview of attacks against the TLS/SSL protocol and its implementations, and discuss possible remedies.
2.1 Nature of attacks
The attacks against TLS have a variety of causes, genuine errors in protocol logic, leading to keys becoming known to the adversary or to a mismatch between the views of the client
4https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 9 / 81 and the server, being just one of them. Such errors were more prevalent in older versions of TLS/SSL, particularly in the first versions of SSL, the support of which may still be lingering around in some applications. The downgrade attacks that first try to make the client and server agree on an old version of the protocol, are another significant attack class. The legacy manifests in the TLS protocol set also in some other ways. Up to the year 2000, the export of cryptographic software and hardware was restricted by the United States, with exceptions granted only to products that used encryption with at most 40-bit key strength. This lead to the introduction of cipher suites with short keys. The lifecycle of such security- crippled cryptographic algorithms was not thoroughly considered and nowadays, these ci- pher suites may still be supported by some servers. By interfering with the handshake protocol, it may be possible to convince a client and a server to agree on such a cipher suite, leading to serious attacks. Somewhat later, evidence against the security of certain symmetric primitives started mounting, these primitives include the DES block cipher, the RC4 stream cipher, and the hash functions MD5 and SHA-1. Support for cipher suites containing these primitives may still be available. Again, certain attacks against TLS attempt to trick the clients and servers to use such weak ciphers. A networked application together with an implementation of secure channels consists of several different layers, with the implementations of cryptographic primitives being on the lowest layer. On top of it, there is the layer of cryptographic constructions that turn a block cipher into a symmetric encryption scheme or a trapdoor one-way permutation into an asymmetric encryption scheme. The next higher layer is the protocol layer that determines which messages are sent and when, how they are protected using cryptography and which checks are made. This layer presents the secure channel abstraction to the application above it. Some potential weaknesses of this layer have been mentioned in previous para- graphs. Other layers have also had their share of issues. It has long been known that the cryptographic constructions in TLS are somewhat different from the provably secure constructions [47], attacks based on these differences have appeared in recent years. At the other side of the protocol layer, the details of the secure channel abstraction may be non-trivial and lead to insecure usage by the application. In particular, there exist attacks based on the non-hiding of the length of messages inserted into the channel. The implementation of all layers is also a non-trivial matter. There have been different kinds of implementation errors which have lead to attacks. Basic programming errors, e.g. buffer overflows are perhaps the simplest kind, but they have provided the basis of some of the most well-known attacks. Another basis of attacks is the leakage of the internal protocol state due to sloppy programming; an attacker can use this to deduce the secrets used in the record protocol. Such leaks are mostly due to timing; as the logic of all layers is complex, it is surprisingly difficult to close all timing channels or at least sufficiently reduce their width. Yet another set of implementation errors is the absence of certain checks demanded by the protocol logic. In cryptographic protocols, it may be necessary to stop the execution if the format of the received message does not precisely match the specification, even though the message itself may still be understandable. The confusion on the necessity of certain checks is sometimes exacerbated by the lack of clarity in documents specifying the protocol. In the following, we present known attacks against TLS/SSL, grouped by the targeted weak-
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 10 / 81 nesses. Some attacks make use of several weaknesses, we have grouped them under the “main” weakness which seems to enable them.
2.2 Attacks against weaknesses in protocol logic
During the lifetime of the secure channel provided by TLS, maintained by running the record protocol, a renegotiation may be triggered by the parties. In this case, the handshake pro- tocol is run again, and the keys of the channel are updated. The new handshake protocol may use different parameters than the original one; this is e.g. used to request the client to identify itself more strongly if it wants to access a more sensitive resource. The renegotiation attack [153], discovered in 2009, allowed also the identity of the client to change during renegotation. In this attack, the attacker holds up the client’s initial con- nection to the server, establishes a secure channel with the server itself, sends the server some data and triggers a renegotiation. The attacker releases client’s connection, and lets the renegotiation proceed between the client and the server, acting as a man in the mid- dle. At the end of the renegotiation, the attacker can no longer read or inject messages on the secure channel. Nevertheless, the messages that the attacker previously sent to the server are now associated with the client and the server thinks they came from the client. The renegotiation attack was thwarted by an extension to TLS [152], which is supported in OpenSSL since version 0.9.8m. Many things are allowed to change during a subsequent handshake, and these changes together with identifying TLS sessions during resumption have enabled the triple hand- shake attack [52]. In this attack, the client establishes a session with the attacker, while the attacker establishes a different session with the server. In both servers, the client won’t be identified at first. The attacker chooses certain parameters of sessions so, that they can be mixed up after interrupting and resuming them. During resumption, the attacker connects the client and the server to each other and causes the client to be identified. At this point, the client still thinks it is talking to the attacker, but the server thinks it is talking to the client. More importantly, anything that the attacker sent to the server before interrupting and re- suming the connections, the server also attributes to the client. After one more handshake, the client obtains a changed certificate from the server, but this is allowed by TLS specifi- cation. At the time of publication, the attack was applicable against web browsers. It was mitigated by changing how the interrupted TLS sessions were identified [51], removing the possibility to mix up different sessions. Often, a protocol error stems from the fact that cryptographically protected messages con- tain too little information about their meaning, allowing the attacker to create confusion in the recipient of such messages. In [131], an attack is described where the values sent by the server to the client for computing the master secret, and intended to be interpreted as the description of a certain elliptic curve and two points on it (for doing Diffie-Hellman key exchange over an elliptic curve), are modified by the attacker, such that the client thinks they are parameters for ordinary Diffie-Hellman key exchange. If the attacker can compute the necessary discrete logarithms (which is not so unlikely, due to the apparent randomness of the parameters, including also the description of the group), then it can itself complete the handshake with the client and set up a session where the client still thinks it is connected to the server. The attack is probably not very significant, because the probability 40 that the necessary discrete logarithms can be computed, is still low (to the order of 2 ).
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 11 / 81 If the attacker learns a client’s secret key, then it can impersonate this client to any server. Can it also impersonate servers to this client? In [54], the notion of Key Compromise Impersonation (KCI) attacks was introduced. It turns out that TLS is not secure against KCI attacks [110], i.e. servers can be impersonated to a compromised client. This can become an issue if the installation of client’s certificates and secret keys is handled sloppily, e.g. if the source of the secret key and the certificate may be malicious. The attack requires both the client and the server to have fixed (EC)DH key pairs.
2.3 Attacks against insecure cryptographic constructions
Among the various cipher suites defined for TLS, there are those based on RSA encryption. The “textbook RSA” is semantically insecure, hence it is always used by encapsulating the plaintext into a format specified in the standard PKCS #1 [1]. This standard has several versions, and the format specified in PKCS #1 v2.0 [2] has provable security guarantees. However, TLS makes use of the padding specified in v1.5 of this standard, and this version of the standard has ubiquitous support in various hardware and software applications. This is unfortunate, because the famous Bleichenbacher’s attack [56] allows a decryption server supporting PKCS #1 v1.5 to be used as a decryption oracle, by making a large number of queries to it with messages related to the message that the attacker wants to decrypt. There exist countermeasures against this attack [82], but these can in turn be ex- ploited [117], such that we still have a decryption oracle. In 2012, the complexity of the original attack was reduced by a couple orders of magnitude [42]. Still, the number mes- sages is high and requires the connection to be kept alive for many hours after receiving the challenge from the server in the ServerHello-message, but without completing a hand- shake. The TLS protocol itself does not contain the means to enforce a timely response to the challenge. The implementations of TLS or higher-level protocols using it may con- tain mechanisms to time out the connection, but these mechanisms have been designed in ad-hoc manner and may be easily circumventable [145]. E.g. for the implementation of the HTTPS protocol in the Apache web server, it is actually possible to keep the connec- tion alive for many hours, such that the Bleichenbacher’s attack can be completed [145]. Therefore we have given a suggestion [18] to not use RSA encryption based cipher suites in applications where the several hours long time for performing a TLS handshake might pass unnoticed. In interactive applications (e.g. serving the web to browsers), this should not be an issue. A secure block cipher can be turned to a secure symmetric encryption scheme and to a secure channel in a variety of provably secure ways [121]. Unfortunately, the IV-chained CBC mode of block ciphers specified in a number of cipher suites is not one of these ways and theoretical weaknesses against it have long been known [40, 41]. The weaknesses have enabled the BEAST attack [88], if the attacker can control the network traffic between the client and the server and can also have some control over the messages that the client sends (e.g. by loading malicious JavaScript to the client’s browser). The BEAST attack resulted in dropping the support for block ciphers in IV-chained CBC mode since TLS version 1.1 [83]. In SSL v3.0, the contents of the padding in the protocol records is unspecified, and the padding itself is not authenticated. This is a weakness that is exploited in the POODLE attack [136]. Under the same attacker model as for BEAST, the attacker can check the
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 12 / 81 equality of certain plaintext bytes in the messages the client sends out, eventually leading to the leakage of client’s secrets. There is no good mitigation of this attack besides not using SSL v3.0. If both the client and the server support SSL v3.0 (due to the need to talk to some parties that do not support any higher versions of the protocol), then even if they both also support recent versions of TLS, the attacker may interfere with the initial messages of the hand- shake protocol, causing them to fall back to SSL v3.0. There is an extension to TLS [135] that mitigates such downgrade attacks, but the proper way is still to drop the support for SSL v3.0. In all versions of TLS, the contents of the padding have been fully specified, rendering the POODLE attack inoperative. However, some implementations of TLS have turned out to not strictly check whether the padding of incoming messages corresponds to TLS stan- dard [123]. These implementations are thus vulnerable to POODLE.
2.4 Attacks against short keys
Certain cipher suites of TLS make use of short, so-called export strength keys, in particular 512-bit RSA or Diffie-Hellman keys. These suites are deprecated since the release of TLS v1.1 [83], but support is still present in deployed clients and servers. They are a critical component of the FREAK attack [50], where bugs in client code make it accept a 512-bit RSA key from the server that still supports it and thinks the client was requesting an export strength cipher suite due to the adversary tampering with the first messages of the handshake protocol. We describe these bugs in more detail below, as they are really an implementation error. Factoring a 512-bit RSA modulus takes hours [50], but as the lifetime of an RSA key is longer than that (due to the search for 256-bit primes during the generation of the key being a relatively difficult operation), the attacker can find the factors ahead of mounting the FREAK attack. Computing discrete logarithms modulo a 512-bit prime is somewhat more complex. Furthermore, in a Diffie-Hellman key exchange (with ephemeral keys, as is the usual deployment), new elements of the group are generated in each protocol session. The Logjam attack [32] is a practical attack against export-strength Diffie-Hellman key ex- changes, where the discrete logarithm of a fresh group element has to be found. The input parameters to the discrete logarithm problem are the size of the group p (a 512-bit prime number), the base element g in this group, and the element h to be logarithmed. The output is a number y, such that gy = h (mod p). The attack depends on the following two facts:
• The search of a 512-bit safe prime number is a difficult operation. Hence the servers use the same p for a long time. Even more, there are certain standard primes used by many servers [143]. • The state-of-the-art algorithms for discrete logarithms only use p (and perhaps g, which is fixed together with p) for the large majority of their computations. The value h is only needed at the very end.
Hence, knowing the 512-bit prime the server is going to use, we can do most of the discrete logarithm computation ahead of time, such that after learning the group element in the key exchange session, we can find its discrete logarithm sufficiently fast. The authors
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 13 / 81 of Logjam report that their precomputations for a fixed p took them slightly over a week (and consumed over 10 core-years of computing power). Afterwards, the computation of a discrete logarithm in this group requires on average 10 core-minutes, taking around 70 seconds to compute. They state that their computations are not optimized. If the server supports export strength Diffie-Hellman key exchange, then forcing the con- nection down to such cipher suite is again just a matter of tampering with the first hand- shake messages. After the server has sent the 512-bit group element in authenticated manner, the attacker can take over and complete the handshake with the client. At the end of the handshake protocol, the message authentication code has to be applied to the sequence of messages exchanged during the handshake protocol, but the attacker can do it because it knows the master secret at that time. The authors of the Logjam attack also speculate about the complexity of computing discrete logarithms in larger groups. They estimate that the precomputation for a single 1024-bit prime requires around 45 million core-years. The entire computation is parallelizable, but a large fraction of it is not embarassingly parallelizable. They try to estimate the cost of the hardware that is capable of performing this precomputation in one year (for a single 1024-bit prime). They guess that the cost is in hundreds of millions of dollars (within an order of magnitude). This is definitely in reach of large countries. After the precomputation, the computation of a single discrete logarithm requires roughly one core-month, and this computation is easily parallelizable. To mitigate the attack, one has to use larger keys or unique 1024-bit groups. In the latter case, the server has to generate the modulus itself, making sure that it does not have any weaknesses that may simplify the computation of discrete logarithms in the group it defines. This modulus will be used in the handshake protocol sessions the server participates in. The generation of a safe modulus takes significant time (tens of seconds). Another possible mitigation is switching to elliptic curves, as the current discrete logarithm algorithms for elliptic curves do not gain as much from precomputation [95]. DROWN [38] is a different attack that relies both on the support of export strength cipher suites and old versions of TLS/SSL. In this attack scenario, the attacker has captured a TLS session between a client and a server, where the master secret has been generated from the pre-master secret that the client sent to the server encrypted with server’s RSA public key. In order to read the session, the attacker needs to decrypt that pre-master secret. The attack needs the server (or a different one, but it needs to use the same RSA key) to support SSL v2.0 and export strength cipher suites. The attacker connects to the server and chooses SSL v2.0 for the handshake and a cipher suite with export strength (40-bit) symmetric key. The attacker passes modified captured encrypted pre-master secret as its own encrypted pre-master secret. The server’s response indicates if this passes as a valid pre-master secret for the chosen cipher suite. To understand server’s response, the attacker has to brute-force a 40-bit secret. For 2048-bit RSA keys, the success probability of the step described in the previous para- graph is such, that the attacker should have around 1000 captured TLS handshakes and make around 20000 connections to the server (incurring the computational cost of around 250 in the process). After finding a valid SSL v2.0 encrypted pre-master secret, the at- tacker can use techniques similar to Bleichenbacher’s attack to decrypt it in around 20000 further connections to the server. The obtained plaintext can be transformed back to the
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 14 / 81 pre-master secret of one of captured TLS handshakes. Up to version 1.0.2, OpenSSL contained a bug that allowed a much more efficient attack of the same kind, without the support for export strength cipher suites. It allows the recovery of one in 260 TLS session keys using around 17000 connections to the server and negligible computational resources. The number of targeted keys can be further lowered to 100, with the expense of extra 10000 connections to the server. The obvious mitigation to the DROWN attack is to make sure that SSL v2.0 or export strength cipher suites are not supported.
2.5 Attacks against weak cryptographic primitives
During the lifetime of TLS/SSL, the attacks against several primitives in its cipher suites have significantly improved. Attacks become possible, if the support for such cipher suites linger around for too long. The RC4 stream cipher has been supported in TLS for a long time. Its weaknesses have also been known for a quite long time: in 2001, the keystream produced by RC4 was shown to be strongly non-random [91], this weakness was used to break Wired Equivalent Privacy (WEP). However, the attack was not applicable to TLS/SSL and in the meantime, the BEAST attack described above increased the popularity of RC4, as this attack applied only to block ciphers. Over time, more correlations and biases in RC4 keystreams have been discovered, espe- cially in the first 100 bytes of it [34, 168]. In TLS sessions, if the client is sending any ⇡ passwords or secret cookies to the server, then these secrets typically occur at the be- ginning of the session and are encrypted with the bytes of the keystream that are near its beginning. Current knowledge about the biases in RC4 keystream allows the guessing of an RC4-encrypted password in around 226 tries on average, using Bayesian analysis [99]. In February 2015, the cipher suites containing RC4 were prohibited from use in TLS [149]. TLS also makes use of hash functions, both in the record protocol (for computing the mes- sage authentication codes) and in the handshake protocol (when computing the signa- tures). Often, MD5 or SHA-1 are used for these purposes, with the justification that these hash functions have been shown to be weak only for the purposes of collision-resistance, but a weaker property is needed in the TLS protocol. Recently [53], the SLOTH attacks showed that collision resistance is indeed the property that is needed. These Transcript Collision Attacks are a form of man-in-the-middle attacks, where the attacker chooses ran- dom values in two TLS handshake protocol sessions (acting as server in one, and as client in another session) in a way that makes the hashes of protocol transcripts equal. In the end, the client and the server have seemingly authenticated each other, but actually each of them has shared a key with the attacker. An obvious mitigation to these attacks is to stop using signatures using the MD5 hash function. In the context of the SLOTH attack, SHA-1 is still relatively safe to use, because the sort of collisions needed (chosen-prefix collisions, see Sec. 5.2) are not yet so easy to find for it.
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 15 / 81 2.6 Attacks against misunderstandings in abstractions
Intuitively, a secure channel can be thought of as an opaque pipe: a message goes in from one end and exits at the other, with the outsiders having no means to observe it during the transit. The actual secure channels provided by cryptographic protocols are a bit more transparent — they leak the lengths of communicated messages. If the message has been compressed before sending, then its length depends on its compressibility, i.e. on its content [114]. If the attacker knows a part of the message, then the length of the compressed message tells him something about the similarity of the other parts of the message to the known part. The actual attacks using this channel appeared in 2012 and 2013 [89, 45, 106]. They noticed that if the attacker can change a part of the message then the changes in the compressed length tell him whether the changed part became more or less similar to other parts. In the attacks, the attacker has some control over the client’s web browser. He makes several slightly different queries towards the server, to which the web browser also appends the secret cookie. Observing the lengths of compressed and encrypted queries, the attacker learns the secret. The attack can be mitigated if the messages, the length of which the attacker observes, are sent uncompressed. However, the compression in the HTTPS protocol is supported at several levels. TLS record protocol supports compression; switching it off won’t much affect the performance, because compression is also supported in HTTP. One may also turn off the HTTP-level compression in queries made by the client, but turning it off in server responses would seriously hamper performance. It is possible to execute the attack by only observing the lengths of responses, if the server reflects back the contents of the queries in the responses, including the secret cookie and the part of the query affected by the attacker. The mitigations against compression-based attacks are largely application specific. One may try to fuzz the length of HTTP responses, or to disable the compression of responses to cross-site queries [155]. When a client (web browser) makes a query towards an HTTPS-enabled web server, we expect the created secure channel to be between this client and the server serving this HTTPS domain. If the server uses virtual hosting, serving many different domains, then the channels towards different domains may share certificates and/or state. As recently shown [79], in this case a page from one domain may be loaded under the other’s origin in the client browser. The countermeasures (proposed in the same paper) include tightening the configurations of web servers, but there is no single simple countermeasure that works equally well across all deployment scenarios.
2.7 Attacks against implementation errors
A few cryptographic libraries implement TLS. Errors in these implementations have been found from time to time, and these can also lead to high-profile attacks. The mitigation against such attacks is to upgrade to a version where the error has been corrected.
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 16 / 81 Attacks against buffer overflows Perhaps the most famous attack against TLS, Heartbleed [14] resulted from an error in OpenSSL in implementing the heartbeat extension to TLS. The error only existed in OpenSSL versions between 1.0.1 and 1.0.1f. It was not present in other branches of OpenSSL. The description of the error was published in April 7th, 2014, and patched in OpenSSL version 1.0.1g released on the same day. The TLS heartbeat extension is intended to keep a TLS channel up at times where there is no traffic to send. The party interested in maintaining the channel sends a message to the other party and expects the same message back. The format of the message also includes the length of the byte string to be repeated. A malicious party may construct a message, where the alleged length is larger than the actual length of the byte string that the other party has to send back. The buggy versions of OpenSSL did not verify that the stated length was not excessively large. Instead, they sent back a message with length equal to the alleged length of received message. Such response message contained both the received message, as well as the contents of the memory immediately following it. This area of memory may have contained values that the other party should not have learned, e.g. parts of the private key. A good explanation to the Heartbleed bug is given in [140]. Another buffer overflow error, discovered and patched in November 11th, 2014 [15], was the Winshock error [174] in the Schannel library used by Microsoft’s web browsers and servers. This error was due to using one method for finding the length of the buffer to be created, using another method to find the length of the data copied to this buffer, and not verifying that the second value was not larger than the first [74]. The error could appear when a certificate was decoded from its transport format, and was henceforth triggerable by a malicious communication partner.
Timing attacks The timing attacks against TLS are related to the possibility of using one of the parties in a TLS session as a padding oracle. If a block cipher is used in the TLS record protocol, then a message authentication code is first added to the outgoing message, it is then padded to a multiple of block length, and the result is encrypted using CBC mode. A padding oracle is created if the recipient of a message, crafted by the attacker, publishes why the decryption and decoding failed — did the padding have the wrong format, or was the message authentication code found to be wrong. A padding oracle allows the attacker to decrypt messages from the record protocol without knowing the session key [169]. The applicability of padding oracles in web hacking was demonstrated in [156]. A typical way for creating a padding oracle is through timing channels: discovering wrong padding takes less time than discovering a bad message authentication code. Since ver- sion 0.9.6i and 0.9.7a, OpenSSL contains protections against padding oracle attacks. Un- fortunately, modern processor architectures are complex and it is difficult to ensure that the processing time of a packet is independent of the contents of this packet. The Lucky Thir- teen attack [35] showed that even a noisy oracle is useful for decryption. Since versions 1.0.1d, 1.0.0k and 0.9.8y, OpenSSL has contained code aimed at thwarting such attacks. A related class of timing attacks are the cache attacks, where the attacker code runs on the same processor as the victim code, but in a different process. The goal of the attacker is to determine a secret used by the victim code. The attacker and victim processes may
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 17 / 81 interact to a certain extent, because they share the processor cache. The attacker tries to bring the cache into a state where the timing of victim’s next steps depends on the value of the secret. The attacker will then try to measure the time it takes for the victim to execute. A recent example of such attack is the Cachebleed attack [178]. The authors introduced cache-bank conflicts and measured the timing variations caused by them. In around 16000 executions, they managed to retrieve the private exponent from the implementation of mod- ular exponentation in OpenSSL 1.0.2f which already contains state-of-the-art protection against timing attacks. The authors also proposed a mitigation to the attack — disable hyperthreading, or only allow it between processes within the same protection domain.
Attacks against missing checks When implementing complex protocol logic, which is perhaps also presented in somewhat confusing manner, the implementors may overlook the need for some security checks. There exists a variety of attacks aimed against such oversights. We have already men- tioned the POODLE attack which may work on TLS implementations due to them not checking that the padding of messages has correct value. An interesting shortcoming was presented in [50], where the complexity of state machines for supporting TLS handshake was stressed. Depending on the chosen cipher suite and on other options of the protocol, different messages are expected to be sent and re- ceived by the parties. For key exchange based on ephemeral Diffie-Hellman, as well as on export strength RSA, the server is expected to send a ServerKeyExchange mes- sage, this message should not be sent or accepted for other methods of key exchange. Also, the messages are expected to come in a certain order, skipping them should not be allowed. It turned out that in OpenSSL, messages could be sent out of order. In par- ticular, even if strong RSA-based key exchange was selected, the client still accepted the ServerKeyExchange-message, using the key in this message instead of the one in server’s certificate. This bug lead to the FREAK attack, explained above. Another fault, discovered earlier [52], consisted in both the client and the server accepting a ChangeCipherSpec too early, before a new key was successfully agreed upon. In this case, the actual key material could have been generated from a master secret that the attacker was capable of guessing. In the version of OpenSSL library below 1.0.1i, the server chooses TLS v1.0 as the protocol version, if the first ClientHello message from the client is too fragmented. This allows an attacker to perform downgrade attacks. Since version 1.0.1i, a fragmented ClientHello message leads to the closure of connection instead [13]. Failures in correctly checking the certificate of the other party are really a class of its own, although they can also be grouped under “missing checks”. In the 2015 version of this report, we tried to give an overview of such failures, at least in the most used pieces of soft- ware, but we believe now that this is a futile attempt. The code for validating TLS certificates in non-browser software has been called “the most dangerous code in the world” [105].
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 18 / 81 3 RSA public key cryptosystem
In this Chapter, we will present descriptions and estimates for various attacks against RSA cryptosystem. The reader should however keep in mind that, to the best of our knowledge, none of the major attacks have been fully implemented in practice. This means that all the given resource estimates are imprecise and may be off by a few orders of magnitude.
3.1 Breaking RSA with a classical computer
In recent years, no major cryptanalytic breakthroughs against RSA have occurred. This means that the security level estimates given in the 2012 ECRYPT II report on crypto- graphic algorithms and key sizes [39] still hold (see also Table 1).
Table 1. ECRYPT II table for security levels of asymmetric encryption
RSA/DLOG keylength Security level 512 50 768 62 1024 73 1536 89 2048 103
So for example, in order to break RSA-1024 or RSA-2048, one needs to perform respec- tively about 273 or 2103 operations on a (classical) computer. Based on this, we can give a rough estimate of the monetary investment needed to perform such computations. In April 2016, a year of Amazon’s cloud computation package m3.medium costs $3535. For this price, one gets access to a single-core Intel Xeon E5-2670 v2 (Ivy Bridge) processor with maximum performance of 3.3 GHz. This gives a yearly performance of
3, 3 109 60 60 24 365 256,53 · · · · · ⇡ elementary operations. This in turn implies that the investment needed to break RSA-1024 and RSA-2048 with a classical computer is respectively
273 2103 $353 $32, 000, 000 and $353 $3.44 1016 . 256,53 · ⇡ 256,53 · ⇡ ·
5http://aws.amazon.com/ec2/pricing/, last visited April 21st, 2016
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 19 / 81 3.2 Breaking RSA with dedicated hardware
In 2005, Franke et al. proposed a special-purpose hardware device called SHARK that implemented General Number Field Sieving algorithm for factoring large integers [93]. They estimate that in year 2005 prices, hardware for an ASIC farm that would be capable of breaking RSA-1024 in one year would cost about $160 million. Power consumption per one factoring would add $60 million more. In 2007, de Meulenaer et al. improved the factoring step within the number field sieve algorithm using elliptic curve methods [78]. Their estimate is that the production cost of the resulting hardware would be about $25.8 million. The method used by de Meulenaer et al. relies on the approach developed by Gaj et al. [94]. In 2010, Zimmermann et al. claimed to have improved the price-performance ratio of this approach by factor 37 [179]. All in all, the rough estimate for the investment required to factor one RSA-1024 modulus is in the order of magnitude $1 million.
3.3 Breaking RSA with a quantum computer
It was already predicted by Richard Feynman in 1980s that a quantum computer may out- perform classical ones in certain applications. The real breakthrough was made by Peter Shor who presented an algorithm for finding hidden subgroup orders of large groups in 1994 [159]. This in turn gives rise to algorithms for integer factoring and finding discrete logarithms. Since majority of the present-day asymmetric cryptography relies on the assumption of either the hardness of factoring or computing discrete logarithms, practical implementation of such a computer would have enormous implications on the cryptographic applications. Among others, using RSA, DSA, ElGamal and elliptic curve cryptosystems would become insecure. To give an idea how factoring using Shor’s algorithm works, consider a toy example of N = 15 [137]. One starts by picking a random number a [2, N 1], say, a = 7. First, 2 we compute gcd(a, N) which can be done fast on a classical computer using Euclidean algorithm (here gcd stands for the Greatest Common Divisor of the two input numbers). If gcd(a, N) > 1 then a factor of N has already been found and the algorithm may stop. Otherwise we know that a Z⇤ , where Z⇤ denotes the multiplicative group of residues 2 N N modulo N.
We will be interested in the order of a in group Z⇤N, i.e. the smallest positive integer r such r that a 1 mod N. Alternatively, r is the order of group a , the subgroup of Z⇤ generated ⌘ h i N by a. For N = 15 and a = 7 we would get
a = 70 1, 71 7, 72 49 4, 73 343 = 13, 74 2401 1,... = 1, 4, 7, 13 , h i { ⌘ ⌘ ⌘ ⌘ ⌘ ⌘ ⌘ } { } hence r = 4. There is no fast classical algorithm for finding r, but Shor’s algorithm allows to achieve exactly this on a quantum computer. Due to considerable technical complexity, we leave
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 20 / 81 the quantum part for Appendix A. An interested reader can also find further details in G. Eric Moorhouse’s excellent presentation [138]. If r turns out to be odd, we run the algorithm again, otherwise we can find (classically) the value of ar/2; essentially a square root of 1 modulo N. If N is a product of two primes (as in the case of RSA), there will be four possible values of this square root. Two of them (1 and 1) are not interesting and if we hit them, we run the whole algorithm again with a new choice of a. But for the two others we know that gcd(ar/2 1, N) are non-trivial factors of N. ± In case of N = 15, a = 7 and r = 4, we would get gcd(72 + 1, 15) = gcd(50, 15) = 5 and gcd(72 1, 15) = gcd(48, 15) = 3 . A straightforward implementation of Shor’s algorithm requires a quantum computer of 3 log (N) qubits [137]. So for example factoring 15 would require 12 qubits and factor- d 2 e ing a 1024-bit RSA modulus would require 3072 qubits. The latter number is currently wildly out of reach for the available technology. In 2016, Monz et al. proposed an improved version of a quantum computer that is able to factor an n-bit number using only n + 1 qubits (instead of 3n required by classical Shor algorithm) [137]. However, this improvement in the number of qubits comes for the price of three times larger running time of the algorithm. As qubits have very short life times, this poses a great engineering challenge in practice. The claims of Monz et al. are also disputed by Cao and Liu [71]. There are also other possible implementations of Shor’s algorithm. Interpreting the recent work by John Martins et al. [43], Jeffrey Morris [139] has estimated the effort required to break a 2048-bit RSA modulus as given in Table 2.
Table 2. Effort required to break RSA-2048
Parameter Classical computer Quantum computer Time to run 10 years 24 hours 1 Size of hardware Server farm covering 4 of 100K logical qubits and North America 200M physical qubits, in less than a small room Cost $1018 $1011
For comparison, the GDP of USA was approximately $1, 82 1013 in 2015 [28]. Note also that · the cost estimate for breaking RSA-2048 obtained earlier in this Section was $3.44 1016, · so the truth probably lies somewhere in between.
3.4 Breaking RSA with a D-Wave computer
D-Wave Systems, Inc. is a Canadian company devoted to developing a special kind of quantum computing device also generally known as D-Wave. First it needs to be clearly emphasised that D-Wave is not a fully fledged quantum computer in the sense stated by Richard Feynman. Rather, one can say that D-Wave is to a quantum computer what an analogue computer is to a classical digital one.
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 21 / 81 D-Wave computer is designed to solve very specific kind of optimisation problems, namely finding global minima for objective functions. It does so by applying a method called quan- tum annealing which is similar to simulated annealing used on classical computers. Thanks to a special quantum phenomenon known as quantum tunnelling, quantum annealing can theoretically outperform the classical version of the algorithm. Several prototypes of the D-Wave computer have been built and demonstrated. However, the demonstrations have not been convincing in that they actually can achieve the quantum speedup. [72]. If the quantum speedup would turn out to be real, it would, in principle, be possible to cre- ate a device that breaks RSA. For that, one first needs to select a suitable NP-complete optimisation problem and build a D-Wave computer to solve it. (See the textbook [37] for further details on NP-completeness.) Since integer factoring problem is in the NP com- plexity class, one would have a polynomial reduction that would turn an instance of the factoring problem to an instance of the optimisation problem. Solving the latter one would give rise to factoring the original RSA modulus. However, this construction relies on several strong assumptions.
1. D-Wave computer outperforms a classical computer in an asymptotically significant manner. 2. The function to optimise obtained after the polynomial reduction can be efficiently implemented on a D-Wave computer. 3. The D-Wave optimisation device really computes global optima of the required func- tions on a sufficiently large fraction of input instances.
None of these assumptions is yet reliably verified, hence we can consider breaking RSA with a D-Wave computer to be inconceivable at this point. In fact, it is conjectured by leading complexity theorists that quantum computers (of any kind) can not efficiently solve NP-hard problems [92]. At the same time, NP-completeness of integer factoring is not proved either.
3.5 Transition to 3072-bit RSA
2048-bit RSA is no longer recommended for new implementations requiring long-term (over 10 years) security [39, 160, 18]. However, support for the next logical candidate, 4096- bit RSA, may be missing or too inefficient on some more limited platforms. Hence, an intermediate transition step to RSA3072 may be considered. Even though being less used (and hence also less tested) than RSA2048 and RSA4096, the deployment of 3072-bit RSA is not expected to cause major problems. In principle, every installation utilizing RSA4096 should also be capable of handling RSA3072. Still, making sure that the transition will not cause any problems is responsibility of the imple- menter.
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 22 / 81 4 Elliptic curve cryptography
The 2015 version of the report [18] contained a thorough introduction to elliptic curve cryp- tography (ECC) together with the required mathematical background. Also, the 2013 re- port [12] covered patent issues of ECC. Even though the previous reports were in Estonian, we are not going to translate the corresponding parts here. (This may happen in the future versions of the report, though.) Instead, this report only covers the most important updates on the topic. An updated table of ECC support in various libraries can be found in Appendix B, and the next Section covers the controversial announcement made by NSA concerning phasing ECC out in favour of future, not-yet-existing cryptographic primitives.
4.1 NSA Suite B controversy
In August 2015, the U.S. National Security Agency (NSA) released a public announcement declaring faster-than-previously-planned transition to post-quantum cryptography [17]. Among its implications is rather an unexpected change in recommendations concerning elliptic curve cryptography. Namely, the use of the curve P-256 is no more recommended, and only P-384 has remained. The explanations given by the NSA are rather short-worded and leave a lot of room for speculations. The theories range from speculating that NSA knows of some non-public breakthrough, to trying to confuse Russians and Chinese. The main versions have been analysed by Neal Koblitz and Alfred J. Menezes in their report [119]. The report does not make any conclusions concerning which version is more likely to be correct. However, it is interesting to note that Koblitz and Menezes argue that the so-called NIST curves (including P-256 and P-384) are likely to be free from the backdoors planted during their generation in 1990s. From US government point of view, the situation was somewhat clarified by the FAQ re- leased by the Information Assurance Directorate in January 2016 [21]. It refers to the long required life cycle (20-30 years) of national security systems as the main reason, together with the belief that a sufficiently powerful quantum computer will be developed during that time. However, assuming that creating sufficiently large quantum computers would become a reality in near future, both the curves P-256 and P-384 would be broken with comparable amount of effort. On the other hand, the FAQ conveniently ignores the question why NSA believes that the curve P-384 is considerably more secure than P-256. It seems likely that the FAQ only presents part of the story.
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 23 / 81 5 Known attacks against hash functions
Hash functions are used in many important security-critical applications like digital signa- tures, timestamps, message authentication codes and authentication protocols. Attacks against hash functions may thereby have a large influence on the overall security of elec- tronic services. Several hash functions (like MD5, SHA-1) that are still in use in some applications today have been successfully attacked in terms of collisions. As replacing a hash function in widely used applications tends to be very costly, it is extremely important to know what exactly are the practical consequences of the collision attacks. Finding a collision for a hash function does not necessarily mean that the hash function is insecure in every possible application. Some applications may just need pre-image resistance of second pre-image resistance, not the full collision-resistance.
5.1 Types of attacks and the notions of hash function security
Several different security properties of hash functions could be assumed based on applica- tions. Often in formal security proofs, hash functions are assumed to be random functions (the so-called random oracle model). Having such an assumption in mind, we may define an attack against a hash function as any method capable of finding input-output pairs for the hash function in a way that would be infeasible in the random oracle model. The following three types of attacks against hash function h() are the most common:
• Pre-image attack: given an output y, find an input M for which h(M) = y.
• Second pre-image attack: given an input M, find a different input M0 so that h(M0) = h(M).
• Collision attack: find two different inputs M and M0 such that H(M) = H(M0).
When claiming something about the security of a hash function, we always have to refer to a particular attack. We say that a hash function is S -secure against a certain attack, if every possible attack uses at least the time comparable to computing the hash h(M) for S inputs M. Note that no hash function with n-bit output can be more than:
• 2n-secure pre-image or second preimage resistant, because using the simple trial and error method, a pre-image of any output y can be found using about 2n hash computations on average. n • 2 2 -secure collision-resistant, because using the Birthday attack, a collision can be n found by computing the hash-outputs for about 2 2 randomly chosen inputs.
For example, SHA-1 (with 160-bit output) cannot be more than 2160-secure preimage- resistant, nor 280-secure collision-resistant. MD5 (with 128-bit output) is no more than
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 24 / 81 Table 3. Known attacks against hash functions.
Hash function Collision attack (2nd) Pre-image attack MD2 263.3 272 MD4 3 operations 2102 MD5 218 2123.4 SHA-0 233.6 2160 SHA-1 260.3 2160 RIPEMD-160 280 2160 SHA2-256 2128 2256 SHA2-512 2256 2512
2128-secure preimage resistant, nor 264-secure collision-resistant. In practice, more efficient collision attacks have been found to both of these hash functions. Table 3 summarises the status of the most well known hash functions.
5.2 Collision attacks against Merkle-Damgård hash functions
Most of the known practical hash functions have the so-called Merkle-Damgård structure, which means that the input M is partitioned into blocks M1,...,M` of fixed size and then processed iteratively, taking h0 = IV (where IV is a fixed initial value) and
hi = F(hi 1, Mi) for all i = 1 ...`. The hash H(M) is defined to be the last-computed value h`. The function F is called the compression function. For example, MD2, MD4, MD5, SHA-1 and SHA-2 are all Merkle-Damgård hash functions. The most common types of collision attacks are the following.
Collision attack Find M , M0 so that H(M) = H(M0). The first collision attack against MD5 was launched by Wang, Feng, Lai, and Yu in 2004 [171]. No known successful collision attacks against SHA-1 have been launched. The first theoretical attack (with 269 hash steps) was described by Wang, Yin and Yu in 2005 [173]. The best known attack (with 260.3 hash steps) was presented by Stevens in 2013 [162]. Grechnikov presented an attack against the reduced version (74 from 80 rounds) of SHA-1 with 235 hash steps [90]. Note that the general collision attack is not necessarily dangerous in practice, as M and M0 are not necessarily meaningful messages.
Chosen-prefix collision attack Given two inputs M1 and M2, find continuations M10 and M0 , so that M M0 , M M0 but H(M M0 ) = H(M M0 ). The first chosen-prefix colli- 2 1k 1 2k 2 1k 1 2k 2 sion attack (with 239 hash steps) against MD5 was launched by Stevens, Lenstra and de Weger in 2007 [164, 165]. No known chosen-prefix collision attacks have been launched against SHA-1. The first theoretical attack (with 274 hash steps) was published by Stevens in 2013 [162]. Chosen-prefix collision attacks are indeed dangerous in practice. For exam- ple, a chosen-prefix collision attack against MD5 was successfully used to forge certificates of Certification Authorities [166].
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 25 / 81 The target of the next attacks is the compression function F of the hash function and hence, these attacks are not attacks against the full hash function.
Freestart collision attack (or pseudo-collision attack) Find pairs (V, M) , (V0, M0) so that F(V, M) = F(V0, M0). This is equivalent to finding any collision for the compression function. The first successful free-start collision attack against MD5 was launched and published by de Boer and Bosselaers in 1993 [81]. The first successful free-start colli- sion attack (with 257.5 hash steps) against SHA-1 was launched and published by Stevens, Karpman, and Peyrin in 2015 [163].
Semi-freestart collision attack Find M , M0 and V so that F(V, M) = F(V, M0). The first successful semi-freestart collision attack against MD5 was launched and published by Dobbertin in 1996 [86]. No semi-freestart collision attacks against SHA-1 have been launched.
Near-collision attack Given V and V0, find M , M0 so that F(V0, M0) and F(V, M) differ by a small number of bits or are “close" in another previously defined way. Near-collision attacks have no direct practical implications, but they are used as tools in attacks against the full hash function. For example, near-collisions were used in the the chosen-prefix collision attack by Stevens in 2013 [162].
Collision attacks against the compression function F of a Merkle-Damgård hash function H do not necessarily mean a collision attack against the full hash function H, because the prefix V is not necessarily the right (standard) initial value IV. If V , IV, then in order to extend a collision (with pairs (V, M) and (V, M0)) to a collision of the full hash function, one has to find a prefix W such that H(W) = V, because then indeed H(W M) = H(W M0), k k because due to the Merkle-Damgård structure of H:
H(W M) = F(F(IV, W), M) = F(H(W), M) = F(V, M) = F(V, M0) = F(F(IV, W), M0) k = H(W M0) . k If, however, an efficient attack is found that for a randomly chosen V finds (with reasonable probability) M , M0 so that F(V, M) = F(V, M0), then it would also be efficient to find collisions for the full hash function. Indeed, one can launch this attack for V = F(IV, W) where W is a uniformly random prefix to find M and M0 so that F(V, M) = F(V, M0) and then H(W M) = H(W M0) as explained above. k k
5.3 Practical chosen-prefix collision attack against certificates
In 2009, Stevens, Sotirov, Appelbaum, Lenstra, Molnar, Osvik and de Weger [166] showed that chosen-prefix collision attacks against MD5 can be used to forge real-life web-server certificates. The idea of the attack is to generate two different X.509 certificates with the same MD5 hash which is used by a Certification Authority to sign certificates. One cer- tificate (the rogue certificate) is a so-called CA-certificate that has authority to sign new certificates (for example to the google.com website) and which many web browsers would blindly accept and trust. The second certificate, the data of which is presented to the Certification Authority, is an ordinary user certificate without the right to issue new certifi- cates. By signing the second certificate, the Certification Authority also implicitly signs the
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 26 / 81 rogue certificate, because their hashes match. The rogue certificate can be used to sign new certificates that might later be used with several e-business related theft schemes. For example, the attacker is able to simulate arbitrary internet service (like gmail.com or swedbank.ee), steal passwords, read arbitrary e-mails, etc. Considering the progress in several attacks against SHA-1 such as Wang et al. [173, 172] and Stevens [162], and that many Certification Authorities still use SHA-1, it is natural to study the practical consequences of the rogue certificate attack against different types of Certification Authorities. Note that the reliability of root certificates, which are self-signed, does on depend on the se- curity of the hash function that is used to sign those certificates. Self-signed certificates are just software containers for public keys and do not provide any security or reliability. The in- tegrity and authenticity of self-signed certificates has to be achieved with non-cryptographic (physical, organisational, etc.) means.
5.4 The cost of chosen-prefix collision attacks against SHA-1
Considering the estimations based on the techniques used in collision-attack against SHA- 1 in 2015 [163], the cost of a collision attack against SHA-1 is between 75,000 and 120,000 US dollars when renting Amazon EC2 cloud over a few months, which is about 100 times lower than estimated in the previous report [12]. As the chosen-prefix collision attacks against SHA-1 are about 217 times more costly than the ordinary collision attack, the estimated cost of the chosen-prefix collision attacks is between 9.8 to 15.7 billion US dollars, which means that these attacks are already feasible for large organisations and companies.
5.5 Attacks against existing certificates
Chosen-prefix collision attacks are the only known practically feasible attacks with practical security implications. Their application against Certification Authorities is only possible during the process of applying for a new certificate, and cannot be used against the existing certificates. In order to apply for certificates, the applicants must identify themselves to Certification Authorities. This means that if a rogue certificate is discovered, the attacker’s identity can be determined using the logs of Certification Authorities. At the first glance, much more dangerous attacks are those targeted towards the existing certificates, because such attacks can be launched without communicating with Certifica- tion Authorities and without risks of being identified as an attacker. For example, an attacker may try, based on an existing certificate X, to find a new rogue certificate X0 , X so that their SHA-1 hashes match. For example, if X is the certificate of an OCSP server of the Estonian ID-card infrastructure, then the attacker would be able (under certain conditions) to forge digital signatures of any Estonian eID user. Note, however, that such an attack is not a collision attack but an attack against the second pre-image resistance, because X is fixed before the attack. No practical second pre-image attacks against SHA-1 are known. Moreover, even against MD5, such attacks would take about 2123 hash steps, which is about 246 ( 1014) times more than the chosen-prefix colli- ⇡ sion attack against SHA-1.
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 27 / 81 Table 4 summarises the practical consequences of attacks against hash functions to the most important electronic services. As we see, second pre-image attacks have the most serious practical consequences, but such attacks are by far not feasible today, even against MD4 and MD5 that are totally broken in terms of collisions. General collision attacks can, in principle, be used to forge digital signatures, but just on meaningless random-looking documents.
Table 4. Practical consequences of attacks against hash functions.
2nd preimage attack Chosen-prefix collision at- Collision attack tack Attacker stays anonymous yes no no Impersonation yes yes, with rogue certificates no Forged signatures yes yes yes, but for meaning- less documents Repeatable forgeries yes, with rogue certifi- yes, with rogue certificates no cates Forged time stamps yes yes, with rogue certificates no and only for RFC3161 timestamps Forged archival documents yes, if not times- no no tamped securely (with a new, more secure hash function) before the hash function becomes insecure Practical feasibility against Infeasible, requires Feasible for everyone, re- Simple, a few seconds MD5 2123 hash steps quires 239 hash steps in ordinary computer Practical feasibility against Infeasible, requires Feasible for large organi- Feasible for large or- SHA-1 2160 hash steps sations ganisations
Only the chosen-prefix collision attacks are capable of creating forged signatures on mean- ingful documents and launching some other practical attacks. The rogue certificate attacks have central importance here, especially those not requiring direct identification of the ap- plicant of the certificate. For example, web-server certificates are suitable targets of such attacks. Hence, the most important practical consequence of chosen-prefix collision at- tacks and their estimated cost is that SHA-1 must not be used for signing web-server cer- tificates.
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 28 / 81 6 The SHA-3 hash function
The SHA-3 cryptographic hash function standard was released by NIST in August 2015. The SHA-3 standard is based on the Keccak hash function that was designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. During 2006–2012, NIST organised a hash function competition in order to choose a new hashing algorithm for the upcoming hash standard, SHA-3. The reason was not to re- place SHA-2 as no practical attacks were known against SHA-2. However, successful attacks against MD5 and the earlier version of SHA-1 showed that more hash functions are needed, possibly with the structure that deviates from the standard Merkle-Damgård design. Indeed, Keccak is based on the so-called sponge design that is somewhat different from all the previous hash functions. In October 2012, Keccak was selected as the winner of the competition and after some adjustments concerning
• increased number of rounds, • simplified padding scheme from a more complex scheme to the 10 1 pattern, ⇤ • increased hashing rate (to the maximum rate that the security calculation allowed).
In 2014, NIST published a draft version of FIPS 202 "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions", and the final version of FIPS 202 was approved in August 5, 2015 [20].
6.1 Sponge construction
A sponge construction has the following components:
• b-bit state memory S , that is divided into two parts: (1) R of size r (called the bitrate), and (2) C of size c (called the capacity), • state transformation function f : S S , ! • padding function P that appends bits to the input string in order to adjust the input length to a multiple of r.
The sponge construction is initialized as follows:
1. The state S is initialized to 0b; 2. The input p is padded, and divided into r-bit blocks by using the function P.
Then, for all blocks (starting from the first block), the following operations are performed:
1. R is XOR-ed with the r-bit block;
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 29 / 81 2. S is replaced by f (S ); 3. Next block is taken.
This process resembles absorbing water in a sponge. If there are no blocks left, then the output is produced with the following process that resembles squeezing water out of the sponge.
1. Output the r-bit R portion of the state memory S ; 2. If more output bits are needed, S is replaced by f (S ) and the process is repeated.
If the output length is not a multiple of r, it is truncated. The collision-resistance and preimage-resistance of a sponge-type hash function depends of the exact construction of f , as well as the parameters r and s. Figure 1 illustrates this construction.
Figure 1. The sponge construction: padded input message M is converted to the output hash h(M).
6.2 Padding
Given the bit-rate r and the message length m in bits, the padding algorithm returns a padding string P such that m + P is a positive multiple of r. The padding string is of the | | form P = 1 0 j 1 , k k where j = ( m 2) mod r and denotes the concatenation operation. k
6.3 State transformation function
In SHA-3, the state S is logically divided into a 5 5 array of 64-bit words with total length of ⇥ b = 1600 bits. The state transformation function is defined for any power-of-two word size, w = 2` bits. In all instances of SHA-3, ` = 6 and w = 64. The state can also be considered as a 5 5 w array of bits. Let A[i][ j][k] be the bit (5i + j) w + k of the input. Note that all ⇥ ⇥ · the index operations are performed mod 5 for the first two indices, and mod w for the third index. The state transformation function iterates 12 + 2` = 24 times the following five sub-rounds, denoted in the standard by Greek letters:
Cryptographic algorithms lifecycle report 2016 3.0 June 22, 2016 30 / 81 ✓: Find the parity bit of each 5-bit column, and XOR that into two nearby columns in a regular pattern:
A[i][ j][k] A[i][ j][k] parity(A[0...4][ j 1][k]) parity(A[0...4][ j + 1][k 1]) . ⇢: Rotate each of the 25 words bitwise by a triangular number 0, 1, 3, 6, 10, 15,..., i.e. A[0][0] is not rotated, and for all 0 t < 24: A[i][ j][k] A[i][ j][k (t + 1)(t + 2)/2] , t i 32 0 where = , where computations are performed mod 5. j 10 1 " # " # " # ⇡: Permute the 25 words in a fixed pattern: A[ j][2i + 3 j] A[i][ j].